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DETAILED ACTION 

1 . The office action is in replay to an amendment filed on 03/27/2007. Claim 2 is 
cancelled. Claims 1,3,13,14 have been amended. Claims 1,3-22 are pending. 

2. The examiner withdraws the previous U.S.C 101,102 claim rejection based on 
the applicant amendment. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1 ,3-22 have been considered but 
are moot in view of the new ground(s) of rejection. 

Claim Rejections -35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1,3,4-8,10-14,18-22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Milliken (US Patent 6,978,223 B2) in view of Ebata et al 
(hereinafter referred as Ebata) US Pub No 20020042837. 

6. As per claim 1: Milliken discloses a method of tracking-back a malicious data 
packet in a connection-oriented communication network, comprising the steps of: a) for 
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a given time window (Time Period), computing a unique flow identifier (Flowld) for each 
packet of a given flow seen by a router interface (Incoming Link) at a network node (See 
Fig 8 steps 805,505,510, 515 and col 3 lines 11-21); b) inserting said Flowld into a data 
structure associated to said Time Period and said Incoming Link, available at said 
network node (See Fig 8 steps 805,505,510,515); c) storing said data structure in a 
searchable repository(Fig 4 step 405 and col 6 lines 12-37); and d) repeating steps a) to 
c) for a next Time Period and for each Incoming link at said network node(See Fig 10). 

Miliken does not disclose discloses determining the time of arrival X of said 
malicious packet at said network node and computing flowid for said malicious packet; 
and identifying said incoming link for said malicious packet by searching for the flowid of 
said malicious packet in all data structures for said network node that cover the time of 
arrival X. 

However Ebata discloses determining the time of arrival X of said malicious 
packet at said network node and computing flowid for said malicious packet 
(0015,0049,0056); and identifying said incoming link for said malicious packet by 
searching for the flowid of said malicious packet in all data structures for said network 
node that cover the timefSee 001 5,0049,0056). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Mikkiken to include e) 
determining the time of arrival X of said malicious packet at said network node and 
computing Flowld for said malicious packet; and f) identifying said Incoming Link for 
said malicious packet by searching for the Flowld of said malicious packet in all data 
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structures for said network node that cover the time of arrival X. This modification would 
have been motivated to do so, as suggested by, (See Milliken col 3 lines 8-10) inorder 
to determining network performance parameters based on the determined temporal 
behavior. 

7. As per claim 3: the combination of Milliken and Ebata disclose further comprising 
tracing-back hop by hop the source of said single packet from said router, by performing 
steps e) and f) for each network node along the path of said malicious packet (See 
Ebata See 0015,0049,0056). 

8. As per claim 4: the combination of Milliken and Ebata disclose the method 
wherein step a) is based on flow definition adopted for said network (See Milliken Fig 1 
and col 4 lines 17-38). 

9. As per claim 5: the combination of Milliken and Ebata disclose the method 
wherein step a) comprises applying a specified function to one or more header fields of 
each packet received in said flow (See Milliken Fig 5 steps 505,510,515). 

10. As per claim 6: the combination of Milliken and Ebata disclose the method 
wherein step a) comprises applying a specified function to one or more header fields of 
each packet received in said flow and an incoming interface identification parameter 
(See Milliken Fig 10 step 1015 and Fig 8 step 805). 

11. As per claim 7: the combination of Milliken and Ebata disclose the method 
wherein step a) comprises applying a specified function to one or more characteristics 
of each packet (See Milliken Fig 5 steps 505,510,515 and col 3 lines 1 1-20). 
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12. As per claim 8: the combination of Milliken and Ebata disclose the method 
wherein step a) comprises applying a specified function to one or more characteristics 
of each packet received in said flow and an incoming interface identification parameter 
(See Milliken Fig 5 steps 505,510,515 and col 3 lines 11-20). 

13. As per claim 10: the combination of Milliken and Ebata disclose the method 
wherein said searchable repository is maintained for each router interface at said 
network node (See Milliken Fig 7 step 705 and col 3 lines 38-40). 

14. As per claim 1 1 : the combination of Milliken and Ebata disclose the method 
wherein said searchable repository stores all said data structures for all router interfaces 
at said network node (See Milliken Fig 10 steps 1010,1015). 

15. As per claim 12: the combination of Milliken and Ebata disclose the method 
wherein said searchable database is a centralized searchable repository maintained for 
said network (See Milliken Fig 4 and col 6 lines 1 1-37). 

1 6. As per claim 1 3: Milliken discloses a method of tracking-back a malicious data 
packet in a connection-oriented communication network, comprising the steps of: a) for 
a given time window (Time Period), computing a unique flow identifier (Flowld) for each 
packet of a given flow seen by a router interface (Incoming Link) at a network node 
based on a flow characterization parameter obtained from management system (See 
Fig 8 steps 805,505,510, 515 and col 3 lines 11-21); b) inserting said Flowld into a data 
structure associated to said Time Period and said Incoming Link, available at said 
network node (See Fig 8 steps 805,505,510,515); c) storing said data structure in a 
database that is centralized searchable repository(Fig 4 step 405 and col 6 lines 12-37); 
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and d) repeating steps a) to c) for a next Time Period and for each Incoming link at said 
network node(See Fig 10). 

Milliken does not explicitly teach e)finding in said searchable repository the . 
incoming link for said malicious packet based on a Flowid and a time of arrival X of said 
malicious packet. 

However Ebata disclose e) finding in said searchable repository the incoming link 
for said malicious packet based on a Flowid and a time of arrival X of said malicious 
packet (See 0015,0049). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Mikkiken to include finding in 
said searchable repository the incoming link for said malicious packet based on a 
Flowid and a time of arrival X of said malicious packet. This modification would have 
been motivated to do so, as suggested by, (See Milliken col 3 lines 8-10) inorder to 
determining network performance parameters based on the determined temporal 
behavior. 

17. As per claim 14: Milliken disclose a system for tracking-back a malicious data 
packet in a connection-oriented communication, comprising: means for computing a 
unique flow identifier Flowid for each packet of a flow seen by a router interface 
(Incoming Link) at a network node over a given period of time (Time Period); means for 
inserting said Flowid into a data structure associated to said Time Period (See Fig 8 
steps 805,505,510, 515), and said Incoming Link available for said network node; a 
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database that is a centralized searchable repository for storing said data structure(Fig 4 
step 405 and col 6 lines 12-37). 

Mikkiken does not explicitly teach a search engine for finding in said searchable 
repository the Incoming Link for said malicious packet based on a Flowld and a time of 
arrival X of said malicious packet. 

However Ebata discloses a search engine for finding in said searchable 
repository the Incoming Link for said malicious packet based on a Flowld and a time of 
arrival X of said malicious packet (See 001 5,0049,0056). 

Therefore It would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Mikkiken to include a search 
engine for finding in said searchable repository the Incoming Link for said malicious 
packet based on a Flowld and a time of arrival X of said malicious packet. This 
modification would have been motivated to do so inorder to enhance the security of the 
system. 

18. As per claim 16: the combination of Milliken and Ebata teach the system wherein 
one said searchable repository is maintained for each interface at said network node 
(See Milliken Fig 7 step 705 and col 3 lines 38-40). 

19. As per claim 17: the combination of Milliken and Ebata teach the system of 
wherein one said searchable repository is maintained for said network node (See 
Milliken Fig 4 and col 6 lines 11-37). 
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20. As per claim 18: the combination of Milliken and Ebata teach the system of 
wherein said searchable repository is a centralized database maintained for said 
network (See Milliken Fig 4 and col 6 lines 11-37). 

21. As per claim 19: the combination of Milliken and Ebata teach the system of 
further comprising a flow based monitoring system for providing a flow characterization 
parameter to said means for calculating (See Milliken Fig 12 step 1210). 

22. As per claim 20: the combination of Milliken and Ebata teach the system further 
comprising a flow management system for generating a flow characterization parameter 
(See Milliken Fig 9 step 915). 

23. As per claim 21 : the combination of Milliken and Ebata teach the system of 
wherein said means for computing is a Flowld calculator for computing said Flowld form 
one or more of packet header fields, packet characterization parameters and interface 
identification information (See Milliken Fig 12 steps 1230,1235). 

24. As per claim 22: the combination of Milliken and Ebata teach the system wherein 
said means for computing is a Flowld calculator for computing said Flowld form packet 
header information (See Milliken Fig 12 step 1205). 

25. Claims 9,15 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Milliken (US Patent 6,978,223 B2) in view of Ebata et al (hereinafter referred as 
Ebata) US Pub No 20020042837 and further in view of Snoeren et al(Hash based 
IP Traceback, 27 Augest 2001). 
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26. As per claim 9: the combination of Milliken and Ebata teach claim 1 as recited 
above. Milliken and Ebata do not explicitly teach the method wherein said data structure 
is a hash table based on a Bloom filter. However Snoeren teach the combination of 
Milliken and Snoeren the method wherein said data structure is a hash table based on a 
Bloom filter (See page 2 first paragraph). 

Therefore It would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Milliken to include the method 
wherein said data structure is a hash table based on a Bloom filter. This modification 
would have, been motivated to do so, as suggested by, (Snoeren page 2) inorder to 
reduce the memory requirement through the use of Bloom filter. 

27. As per claim 15: the combination of Milliken and Ebata teach claim 14 as recited 
above. The combination of Milliken and Ebata does not explicitly teach the system 
further comprising a flow-based monitoring system for tracking back hop-by-hop the 
source of said malicious packet. However Snoeren teach a flow-based monitoring 
system for tracking back hop-by-hop the source of said malicious packet (See Snoeren 
page 4 section 3.3). Therefore It would have been obvious to one ordinary skill in the art 
at the time the invention was made to modify the teaching method of Milliken and Ebata 
to include a flow-based monitoring system for tracking back hop-by-hop the source of 
said malicious packet. This modification would have been motivated to do so inorder to 
enhance the security of the system. 
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Conclusion 

28. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

29. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Fikremariam Yalew whose telephone number is 
5712723852. The examiner can normally be reached on 9-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Moazzami Nasser can be reached on 5712724195. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Fikremariam Yalew Art Unit 21 36 
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